[JBoss JIRA] (WFLY-12095) Use HTTPS and only HTTPS for management interfaces in default configuration
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-12095?page=com.atlassian.jira.plugin... ]
Darran Lofthouse commented on WFLY-12095:
-----------------------------------------
This is something to revisit after WFLY-1598
> Use HTTPS and only HTTPS for management interfaces in default configuration
> ---------------------------------------------------------------------------
>
> Key: WFLY-12095
> URL: https://issues.jboss.org/browse/WFLY-12095
> Project: WildFly
> Issue Type: Enhancement
> Components: Management, Security
> Affects Versions: 16.0.0.Final
> Reporter: Jan Stourac
> Priority: Major
>
> Current default configuration of WildFly uses plaintext HTTP for management interfaces that are used for web-console access. Even though, that it is possible to switch to HTTPS after login to web-console, I believe we should incorporate HTTPS and only HTTPS configuration of management interfaces in our default WildFly configuration.
> Note that there is digest-auth used for web-console login, thus password is not sent in a plain-text over the network, although there is still possibility of MITM attack, as such one can see what management operations are performed (actual request payload is binary, although I presume that it is easy to decode when one knows how to do it).
> Yes, I understand that by default, there will be just a self-signed certificate generated for server on first HTTPS request, but I believe it is still an improvement.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
4 years, 11 months
[JBoss JIRA] (WFLY-12095) Use HTTPS and only HTTPS for management interfaces in default configuration
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-12095?page=com.atlassian.jira.plugin... ]
Darran Lofthouse reassigned WFLY-12095:
---------------------------------------
Assignee: (was: Darran Lofthouse)
> Use HTTPS and only HTTPS for management interfaces in default configuration
> ---------------------------------------------------------------------------
>
> Key: WFLY-12095
> URL: https://issues.jboss.org/browse/WFLY-12095
> Project: WildFly
> Issue Type: Enhancement
> Components: Management, Security
> Affects Versions: 16.0.0.Final
> Reporter: Jan Stourac
> Priority: Major
>
> Current default configuration of WildFly uses plaintext HTTP for management interfaces that are used for web-console access. Even though, that it is possible to switch to HTTPS after login to web-console, I believe we should incorporate HTTPS and only HTTPS configuration of management interfaces in our default WildFly configuration.
> Note that there is digest-auth used for web-console login, thus password is not sent in a plain-text over the network, although there is still possibility of MITM attack, as such one can see what management operations are performed (actual request payload is binary, although I presume that it is easy to decode when one knows how to do it).
> Yes, I understand that by default, there will be just a self-signed certificate generated for server on first HTTPS request, but I believe it is still an improvement.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
4 years, 11 months
[JBoss JIRA] (WFCORE-629) Enabled automatic encryption of passwords stored in configuration
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-629?page=com.atlassian.jira.plugin... ]
Darran Lofthouse updated WFCORE-629:
------------------------------------
Fix Version/s: 10.0.0.Beta1
(was: 11.0.0.Beta1)
> Enabled automatic encryption of passwords stored in configuration
> -----------------------------------------------------------------
>
> Key: WFCORE-629
> URL: https://issues.jboss.org/browse/WFCORE-629
> Project: WildFly Core
> Issue Type: Feature Request
> Components: Management, Security
> Environment: Wildfly 9
> Reporter: Jason Shepherd
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 10.0.0.Beta1
>
>
> Currently encrypting passwords such as Datasource passwords can only be done 'after the fact'. You have to create the datasource first, then retrospectively store the password in the vault and dereference it in the configuration.
> It would be great if could turn on automatic storage of passwords in the vault so that when you create a Datasource password, or add a resource adapter which specifies a remote resource password, those passwords were automatically added to the vault, and deferenced in the configuration file.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
4 years, 11 months